[ansible-project] Ansible - User Create Module - Not working with Vault

Tue, 09 Feb 2021 06:00:45 -0800 

Still learning Ansible... but I think this is a feature request / maybe a 
bug? 

Hoping their is a work around.

Goal:  Create a user on CentOS host with membership of wheel group, ssh key 
and use a provided password but NOT store password in plain text within 
ansible.

I am using vault where I encrypt a password and save it in my global 
variables file

Ex: /group_vars/all.yml    ansible-vault encrypt_string  'Password' --name 
'vault_cluster_ssh_password'

# Add above output to all.yml  and also above it I add a line to create 
usable variable for username
vault_cluster_ssh: cluster  # Account used for inter node cluster tasks
vault_cluster_ssh_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          
643939363138613738326434363632366636393131666432323134336332623463393061643730323461386536636<snip>6363234


Now.. I want to use that in a playbook

- name: Add the user 'cluster' with a bash shell, appending the group 
'wheel'and generate ssh key for hosts "{{ target_hosts }}"
  user:
    name: '{{ vault_cluster_ssh }}'
    shell: /bin/bash
    groups: wheel
    state: present
    generate_ssh_key: yes
    ssh_key_bits: 2048
    ssh_key_file: .ssh/id_rsa
    createhome: no
    password: "{{ vault_cluster_ssh_password | string | password_hash('sha512') 
}}"
    # password: '{{  Password  | string | password_hash('sha512') }}'

The commented line works ..  but the use of variable does not.  All 
examples I have found still use clear txt passwords to create users which 
is not allowed and bad form.
What I don't get is why they are shoving the output directly into 
'etc/shadow"   if you call to create user...  so you have to use 
password_hash component.  Why would the user add module not just call as 
input parameter your "password variable"  and use OS "passwd" binary... why 
is it shoving things direct into files with manual hash?  Their may be 
reason but this then creates above issue where I cannot call input as 
variable that leverages standard vault call.

Hoping their is a better way to do this / work around someone has.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/732d8fd1-3078-46f3-84c1-bc0778aa41acn%40googlegroups.com.

Reply via email to